Current status

Detailed Description

Miroslav is waiting for upstream acceptance of some cryptsetup changes, to avoid filing bugs that don't have the initial step as a dependency.

Add one or two very small packages ("volume_key" or "volume_key-python", perhaps "volume_key-libs") to the installation image

Add two kickstart options (he will post a pykickstart patch)

Use the functionality provided by the volume_key* package to load a certificate from the network, and to store encryption keys or passphrases in a file after creating an encrypted volume. He expects the necessary code in anaconda to be < 100 lines.

Add system-config-kickstart support for the new kickstart options; integrate with other planned changes to the storage configuration GUI, blocked on those.

Add FirstAidKit support for recovering access to encrypted voluems using the stored encryption keys

Target Audience

Enterprise customers want a means by which they can guarantee access to the data on encrypted block devices in employees' systems. This way they still have a way in if the user changes the device's keys/passphrases.

Product Variants / High Level Use Cases

Relevant to desktops/laptops particularly, but depending upon implementation may be interesting for other products as well e.g. to support encrypted databases, medical records protection.

Hardware Architectures

All

Third-Party Dependencies

Cryptsetup-luks and anaconda interdependencies

Bugzilla Numbers

* See Bug 458392 - [RFE] luks: add support for admin keyslot for the prereq from an anaconda POV
* Bug 488718 - (encrypted_LVM) Support for encrypted LVs in LVM2 & key management (tracker) for a description of work in progress